Subnets
On AWS it is trivial to configure private subnets and public subnets within your VPC leaving only the public subnets with access to the Internet gateway and the private subnets unroutable to from the outside world. In other words, standard networking isolation. If anyone installs a DB of any kind in a public subnet, they should be hauled over hot coals, slowly, before being thrown to a pack of rabid hyenas.